NFTs worth $1.7M stolen via OpenSea phishing attack

Collectors of NFTs that used OpenSea have been affected by a phishing attack, with a total of 254 tokens estimated to be worth more than $1.7 million stolen over a three-hour period.

On Saturday, OpenSea became aware of rumors about smart contracts connected to the non-fungible token (NFT) marketplace. In investigating the claims, it discovered that users were actually being affected by a fairly typical phishing attack.

Emails set to look like an OpenSea Community Update were sent to customers, inviting them to migrate their Etherium listings to a new smart contract. As OpenSea introduced its own legitimate smart contract one day prior, the phishing email took advantage of the change.

According to OpenSea and CEO Devin Finzer on Twitter, the phishing attack doesn't appear to be connected to the OpenSea website itself, and was operated separately, reports Decrypt. It seems that only 32 people were affected by the email, signing a contract with a malicious payload, which led to the victims signing over NFTs to the attacker.

In an explainer thread linked by Finzer, it appears the attack had the victims signing half of a Wyvern order, referencing an open-source standard typically used in NFT smart contracts. The order was effectively empty except for call data and a target of the attacker's contract, with the victim signing half while the attacker signed the other.

After signing, the attacker calls their own contract listed in the double-signed order, which then starts the process of transferring the victim's NFTs to the attacker.

Since the discovery, some of the NFTs that were taken have been returned, while others have been sold by the attacker. An examination of the attacker's wallet reveals it has collected Etherium valued at $1.7 million, far below a $200 million valuation that spread via rumors.

OpenSea is still investigating the incident to determine how exactly the attack took place.